Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Random Web Pages Opening With Security Running


  • This topic is locked This topic is locked
8 replies to this topic

#1 alexio

alexio

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:01 PM

Posted 26 August 2006 - 03:00 PM

hello frends.....
I have come to Spain to see a friend.. and have offerd to help him with a few computer issues he was having, he had no securty, is running internet through dial-up!!!! (ther'e a bit behind here!!!)
it was completely riddled with viruses and spyware, malware, trojans.. ect... regestry wrongdoings.. the list goes on........
It's a dell laptop... and i have now installed the recomended secturty programmes of HJT Spyware guard, avg, zone alarm, and am forcing hm to install windows security pack 2...!!! (his local computer shop told him not to bother due to the dial-up to size issues.. but im sure this is the route of all his problems.... we have now cleaned the machine as far as my knowledge takes us.. but still have random IE and firefox screens opening up with adverts.. this s very anoying and indicates the problem is not yet fully solved........ all the help you guys have given me in the past made this 1st port of call.... hopefully you can work your magic again.....

Logfile of HijackThis v1.99.1
Scan saved at 21:40:46, on 26/08/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\atiptaxx.exe
C:\Program Files\Common Files\{CCBFC449-03EA-2057-0913-01010626002c}\Update.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Atievxx.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\V2luZG93cw\command.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Network Monitor\netmon.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Grisoft\AVG Free\avgcc.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\Alex\Desktop\HijackThis.exe

F2 - REG:system.ini: UserInit=userinit.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Slow dupe] C:\DOCUME~1\Alex\APPLIC~1\PLUSTW~1\MEAL FLAG.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {35F59C80-C1F2-4EEA-9981-686C7D5A9277} - http://ocx1.advnt01.com/dialer/internazionale_ver3.CAB
O16 - DPF: {4B0999FD-6937-11D5-8FEC-00606779369C} (NetConf) -
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1137002405273
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1156437554547
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {91433D86-9F27-402C-B5E3-DEBDD122C339} - http://www.netvenda.com/sites/games-es/es/games3.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{72EE2AF4-4DFB-44EE-AEF5-4338C5131DD9}: NameServer = 80.58.61.250,80.58.61.254
O17 - HKLM\System\CCS\Services\Tcpip\..\{C619D4CB-20F5-43CF-BA19-7AF4DE15B5E0}: NameServer = 62.36.225.150 62.37.228.20
O17 - HKLM\System\CCS\Services\Tcpip\..\{CD01BE8B-9558-4A61-985E-4A17E1BD0078}: NameServer = 80.58.0.33
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: Controls Folder - C:\WINDOWS\system32\k044lahq1d4e.dll
O20 - Winlogon Notify: Shell Extensions - C:\WINDOWS\system32\wV2topl.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\V2luZG93cw\command.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

ummm,dont know what else to tell you, hope you can respond soon.. im only in spain a few more days.. and if not alex will havve to follow your responses.. so try and keep them simple..... thanks again..(expecialy if you have read this far!!!)... Tom.

Edited by alexio, 26 August 2006 - 03:05 PM.


BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:01:01 PM

Posted 27 August 2006 - 08:46 AM

Hello,

This system is still terribly infected. Problem with these infections nowadays is, it causes a lot of damage. Even if we clean the malware off your system, I can't guarantee that your system will be clean afterwards, because these infections/bundles leave a lot of leftovers behind that most scanners won't even recognise and logs won't show.
Also, I can't promise you we can repair all the damage it caused... Even after cleaning the malware, you can still get errors afterwards because of the damage. Solving these is not always possible since it will be searching for a needle in a haystack to find the right cause and solution.
So, we can try to clean this up and do what we can, but keep in mind that we can't solve ALL problems this malware already caused.

Please perform my next steps in the right order...
It is important you don't miss a step and perform everything in the right order!!

* Download Brute Force Uninstaller.
Unzip it to a folder of itís own (c:\BFU).
Read here how to unzip/extract properly:
http://metallica.geekstogo.com/xpcompressedexplanation.html
Start the Brute Force Uninstaller by doubleclicking BFU.exe

Next to the 'scriptfile to execute'-window you'll see a little icon as shown in next picture: Posted Image
When you click that icon, a little window will open that says: 'Please enter the full URL to the sript you want to execute'
In the field, copy and paste next URL:

http://metallica.geekstogo.com/alcanshorty.bfu

Click Ok.
Then click execute in Brute Force Uninstaller.

Extra note:
If nothing happens after pressing the Execute button, this means that the script didn't download. In that case, download the script
( alcanshorty.bfu ) manually from above url ( rightclick on it and choose 'save as' and save it in your BFU-folder). Then start BFU.exe again and click the browse button next to the 'scriptfile to execute'-window
Browse to the script you downloaded and Click Ok and Execute in Brute Force Uninstaller.


Wait for the complete script execution box to popup and press OK.
Press exit to terminate the BFU program.

--------------------

Please download, install, and update Ewido anti-spyware
  • Load Ewido and then click the Update tab at the top. Under Manual Update click Start update.
  • After the update finishes (the status bar at the bottom will display "Update successful")
  • Then click on the Scanner tab at the top. Click the "Settings" tab and then change the recommended action to Quarantine and click Automatically generate report after every scan. Click back to the "Scan" tab and then click on Complete System Scan. This scan can take quite a while to run, so be prepared.
  • Ewido will list any infections found on the left hand side. When the scan has finished, it will automatically set the recommended action. Click the Apply all actions button. Ewido will display "All actions have been applied" on the right hand side.
  • Click on "Save Report", then "Save Report As". This will create a text file. Make sure you know where to find this file again (like on the Desktop).
  • Close Ewido and reboot!!
    I need the log later.
-------------------------

* Download Combofix to your desktop.
Doubleclick combo.exe
Follow the prompts.
Don't click on the window while the fix is running, because that will cause your system to hang.

When finished and after reboot, it should open a log, combofix.txt.
Post this log in your next reply together with a new hijackthislog and the log from Ewido.
You may need several replies to post the logs.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 alexio

alexio
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:01 PM

Posted 29 August 2006 - 12:31 PM

Hi, thankyou for your response....
I have done all you asked for.. but bieng on holiday it has been slow..and also has resulted in one change from your set of instructons..... i set the ewido running and it found over 1000 infected files by about 70%, but then i had to leave and apparently it completed but then the system crashed so although it kinda sorted it, it didnt save the log.... i repeated the scan, it only found about 13 infected files and i hope log file will ok..........


Logfile of HijackThis v1.99.1
Scan saved at 19:23:23, on 29/08/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Atievxx.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\System32\WgaTray.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\atiptaxx.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Documents and Settings\Alex\Desktop\HijackThis.exe

F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Slow dupe] C:\DOCUME~1\Alex\APPLIC~1\PLUSTW~1\MEAL FLAG.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {35F59C80-C1F2-4EEA-9981-686C7D5A9277} - http://ocx1.advnt01.com/dialer/internazionale_ver3.CAB
O16 - DPF: {4B0999FD-6937-11D5-8FEC-00606779369C} (NetConf) -
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1137002405273
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1156437554547
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {91433D86-9F27-402C-B5E3-DEBDD122C339} - http://www.netvenda.com/sites/games-es/es/games3.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{72EE2AF4-4DFB-44EE-AEF5-4338C5131DD9}: NameServer = 80.58.61.250,80.58.61.254
O17 - HKLM\System\CCS\Services\Tcpip\..\{C619D4CB-20F5-43CF-BA19-7AF4DE15B5E0}: NameServer = 62.36.225.150 62.37.228.20
O17 - HKLM\System\CCS\Services\Tcpip\..\{CD01BE8B-9558-4A61-985E-4A17E1BD0078}: NameServer = 80.58.0.33
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe



---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 18:55:15 29/08/2006

+ Scan result:



C:\WINDOWS\system32\__delete_on_reboot__m_v_q_m_._d_l_l_ -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINDOWS\system32\d00mlad11d0.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINDOWS\system32\dtloader.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINDOWS\system32\f4l0le3m1h.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINDOWS\system32\f6l02g3mg6.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINDOWS\system32\guard.tmp -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINDOWS\system32\igitpki.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINDOWS\system32\lvr6099se.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINDOWS\system32\mcgentr.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINDOWS\system32\n64slgh7164.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINDOWS\system32\p0n80a5ued.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINDOWS\system32\pmintui.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINDOWS\system32\r66ulgj916o.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINDOWS\system32\r6p8lg7u16.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINDOWS\system32\siclient.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINDOWS\system32\slmpsnap.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINDOWS\system32\sonsapi.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINDOWS\system32\sqimeng.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
[1588] C:\WINDOWS\system32\mvqm.dll -> Adware.Look2Me : Error during cleaning.
C:\WINDOWS\NDNuninstall6_38.exe -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\WINDOWS\NDNuninstall7_22.exe -> Adware.NewDotNet : Cleaned with backup (quarantined).
HKU\.DEFAULT\Software\New.net -> Adware.NewDotNet : Cleaned with backup (quarantined).
HKU\S-1-5-18\Software\New.net -> Adware.NewDotNet : Cleaned with backup (quarantined).
HKLM\SOFTWARE\ShudderLTD -> Adware.PSGuard : Error during cleaning.
HKLM\SOFTWARE\ShudderLTD\PSGuard -> Adware.PSGuard : Error during cleaning.
HKLM\SOFTWARE\ShudderLTD\PSGuard\PSGuard -> Adware.PSGuard : Error during cleaning.
HKLM\SOFTWARE\ShudderLTD\PSGuard\PSGuard\License -> Adware.PSGuard : Cleaned with backup (quarantined).
C:\WINDOWS\system32\rkinstaller.exe -> Adware.Relevant : Cleaned with backup (quarantined).
C:\WINDOWS\system32\rk.bin -> Adware.RK : Cleaned with backup (quarantined).
C:\WINDOWS\system32\rlls.dll -> Adware.RK : Cleaned with backup (quarantined).
C:\WINDOWS\system32\rlvknlg.exe -> Adware.RK : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\Install.dll -> Adware.SpywareStorm : Cleaned with backup (quarantined).
HKLM\SOFTWARE\SurfSideKick3 -> Adware.SurfSide : Cleaned with backup (quarantined).
HKLM\SOFTWARE\SurfSideKick3\Internet Explorer -> Adware.SurfSide : Cleaned with backup (quarantined).
C:\Documents and Settings\Alex\Desktop\Green Day Dude\Desktop\2000\2000\Hook.dll -> Backdoor.AXW : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\UWFX5Y_0001_LPNetInstaller.exe -> Not-A-Virus.Downloader.Win32.Agent.d : Cleaned with backup (quarantined).
C:\WINDOWS\system32\1024 -> Trojan.Small : Cleaned with backup (quarantined).


::Report end



Alex - 06-08-29 19:12:25.99
ComboFix 06.08.26BT - Running from: C:\Documents and Settings\Alex\Desktop

((((((((((((((((((((((((((((((((((((((((((((( Look2Me's Log ))))))))))))))))))))))))))))))))))))))))))))))))))

REGISTRY ENTRIES REMOVED:

[HKEY_CLASSES_ROOT\CLSID\{0CC7ABC2-E8D9-46B9-A166-F21C26136BD2}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{0CC7ABC2-E8D9-46B9-A166-F21C26136BD2}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{0CC7ABC2-E8D9-46B9-A166-F21C26136BD2}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{0CC7ABC2-E8D9-46B9-A166-F21C26136BD2}\InprocServer32]
@="C:\\WINDOWS\\system32\\mvqm.dll"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\CLSID\{81559C35-8464-49F7-BB0E-07A383BEF910}]
@="SpywareGuard.Handler"

[HKEY_CLASSES_ROOT\CLSID\{81559C35-8464-49F7-BB0E-07A383BEF910}\Implemented Categories]

[HKEY_CLASSES_ROOT\CLSID\{81559C35-8464-49F7-BB0E-07A383BEF910}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502}]

[HKEY_CLASSES_ROOT\CLSID\{81559C35-8464-49F7-BB0E-07A383BEF910}\InprocServer32]
@="C:\\Program Files\\SpywareGuard\\spywareguard.dll"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\CLSID\{81559C35-8464-49F7-BB0E-07A383BEF910}\ProgID]
@="SpywareGuard.Handler"

[HKEY_CLASSES_ROOT\CLSID\{81559C35-8464-49F7-BB0E-07A383BEF910}\Programmable]

[HKEY_CLASSES_ROOT\CLSID\{81559C35-8464-49F7-BB0E-07A383BEF910}\TypeLib]
@="{F444B57C-5883-4D43-9AB8-344FC5606836}"

[HKEY_CLASSES_ROOT\CLSID\{81559C35-8464-49F7-BB0E-07A383BEF910}\VERSION]
@="1.1"

[HKEY_CLASSES_ROOT\CLSID\{C348D395-BD5F-438E-98DD-BE09A912D7F9}]
@=""
"IDEx"="AD"

[HKEY_CLASSES_ROOT\CLSID\{C348D395-BD5F-438E-98DD-BE09A912D7F9}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{C348D395-BD5F-438E-98DD-BE09A912D7F9}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{C348D395-BD5F-438E-98DD-BE09A912D7F9}\InprocServer32]
@="C:\\WINDOWS\\system32\\igitpki.dll"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\CLSID\{510E0DAB-0BBF-4452-9595-B995DAE77869}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{510E0DAB-0BBF-4452-9595-B995DAE77869}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{510E0DAB-0BBF-4452-9595-B995DAE77869}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{510E0DAB-0BBF-4452-9595-B995DAE77869}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


Granting sedebugprivilege to Administrators ... successful


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\aaa00000.sys
C:\WINDOWS\system32\bszip.dll
C:\WINDOWS\system32\cemetrix.dll
C:\WINDOWS\system32\setup.exe.tmp
C:\WINDOWS\system32\tsuninst.exe
C:\WINDOWS\system32\atmtd.dll
C:\WINDOWS\system32\atmtd.dll._
C:\Documents and Settings\LocalService\Application Data\NetMon
C:\Program Files\Deskbar
C:\Program Files\Common Files\{CCBFC449-03EA-2057-0913-01010626002c}
C:\Program Files\Common Files\{CCBFC449-03EB-2057-0913-01010626002c}


((((((((((((((((((((((((((((((( Files Created from 2006-07-29 to 2006-08-29 ))))))))))))))))))))))))))))))))))


2006-08-29 12:28 218,624 --a------ C:\WINDOWS\system32\srrstr.dll
2006-08-26 14:10 977,920 --a------ C:\WINDOWS\system32\msdtctm.dll
2006-08-26 14:10 97,280 --a------ C:\WINDOWS\system32\txflog.dll
2006-08-26 14:10 82,432 --a------ C:\WINDOWS\system32\mtxoci.dll
2006-08-26 14:10 64,512 --a------ C:\WINDOWS\system32\mtxclu.dll
2006-08-26 14:10 64,512 --a------ C:\WINDOWS\system32\colbact.dll
2006-08-26 14:10 596,480 --a------ C:\WINDOWS\system32\catsrvut.dll
2006-08-26 14:10 499,200 --a------ C:\WINDOWS\system32\comuid.dll
2006-08-26 14:10 442,880 --a------ C:\WINDOWS\system32\rpcrt4.dll
2006-08-26 14:10 365,568 --a------ C:\WINDOWS\system32\msdtcprx.dll
2006-08-26 14:10 226,816 --a------ C:\WINDOWS\system32\es.dll
2006-08-26 14:10 225,280 --a------ C:\WINDOWS\system32\catsrv.dll
2006-08-26 14:10 214,528 --a------ C:\WINDOWS\system32\rpcss.dll
2006-08-26 14:10 150,528 --a------ C:\WINDOWS\system32\msdtcuiu.dll
2006-08-26 14:10 110,080 --a------ C:\WINDOWS\system32\clbcatex.dll
2006-08-26 14:10 1,177,088 --a------ C:\WINDOWS\system32\comsvcs.dll
2006-08-26 14:10 1,105,408 --a------ C:\WINDOWS\system32\ole32.dll
2006-08-26 13:59 0 -r--s---- C:\WINDOWS\system32\k044lahq1d4e.dll
2006-08-25 06:24 127,208 --a------ C:\WINDOWS\system32\mucltui.dll
2006-08-24 13:24 7,680 --------- C:\WINDOWS\system32\bitsprx2.dll
2006-08-24 13:24 7,168 --------- C:\WINDOWS\system32\bitsprx3.dll
2006-08-24 13:24 331,776 --a------ C:\WINDOWS\system32\winhttp.dll
2006-08-24 13:24 17,408 --a------ C:\WINDOWS\system32\qmgrprxy.dll
2006-08-24 13:24 158,720 --------- C:\WINDOWS\system32\xpob2res.dll
2006-08-24 13:16 2,560 --a------ C:\WINDOWS\_MSRSTRT.EXE
2006-08-18 23:02 1,233 --a------ C:\WINDOWS\system32\ynu31afb.sys
2006-08-18 23:00 61,952 --a------ C:\WINDOWS\system32\ynu31afb.dll
2006-08-18 21:13 8,464 --a------ C:\WINDOWS\system32\sporder.dll


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-08-29 19:13 -------- d-------- C:\Program Files\Common Files
2006-08-29 19:00 -------- d-------- C:\Program Files\Mozilla Firefox
2006-08-29 17:40 -------- d-------- C:\Program Files\ewido anti-spyware 4.0
2006-08-27 17:24 -------- d-------- C:\Program Files\Championship Manager 01-02
2006-08-27 11:11 -------- d-------- C:\Program Files\eMule
2006-08-26 21:19 -------- d-------- C:\Program Files\SpywareBlaster
2006-08-26 17:49 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-08-26 17:43 -------- d-------- C:\Program Files\Eidos
2006-08-26 16:40 -------- d-------- C:\Program Files\Common Files\iuzi
2006-08-25 23:45 -------- d-------- C:\Documents and Settings\Alex\Application Data\plus two heck
2006-08-25 20:41 -------- d-------- C:\Documents and Settings\Alex\Application Data\AVG7
2006-08-25 20:40 777472 --a------ C:\WINDOWS\system32\drivers\avg7core.sys
2006-08-25 20:40 4992 --a------ C:\WINDOWS\system32\drivers\avgtdi.sys
2006-08-25 20:40 4288 --a------ C:\WINDOWS\system32\drivers\avg7rsw.sys
2006-08-25 20:40 27904 --a------ C:\WINDOWS\system32\drivers\avg7rsxp.sys
2006-08-25 20:40 23424 --a------ C:\WINDOWS\system32\drivers\avgmfrs.sys
2006-08-25 20:40 -------- d-------- C:\Program Files\Grisoft
2006-08-25 20:39 -------- d---s---- C:\Documents and Settings\Alex\Application Data\Microsoft
2006-08-24 18:33 -------- d-------- C:\Program Files\Zone Labs
2006-08-24 18:30 -------- d-------- C:\Program Files\Common Files\Symantec Shared
2006-08-24 14:18 -------- d-------- C:\Documents and Settings\Alex\Application Data\Mozilla
2006-08-24 14:04 -------- d-------- C:\Program Files\SpywareGuard
2006-08-24 13:16 2560 --a------ C:\WINDOWS\_MSRSTRT.EXE
2006-08-24 13:00 -------- d-------- C:\Program Files\CCleaner
2006-08-24 12:43 -------- d-------- C:\Program Files\EPSON
2006-08-16 09:45 -------- d-------- C:\Program Files\Sports Interactive
2006-07-10 15:42 -------- d-------- C:\Program Files\MSN Messenger
2006-06-16 14:34 48936 --a------ C:\WINDOWS\system32\sirenacm.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AtiPTA"="atiptaxx.exe"
"KernelFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,\
65,6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,6b,00
"Zone Labs Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\ctfmon.exe"
"Slow dupe"="C:\\DOCUME~1\\Alex\\APPLIC~1\\PLUSTW~1\\MEAL FLAG.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run]
"wininet.dll"="mscornet.exe"
"nvctrl.exe"="nvctrl.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,12,03,00,00,23,00,00,00,dc,00,00,00,d2,00,\
00,00,01,00,00,00

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Runonce]
"RunNarrator"=""

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Runonce]
"RunNarrator"=""

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{81559C35-8464-49F7-BB0E-07A383BEF910}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0"



Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AC07C7FB91887AAB.job

Completion time: 29/08/2006 19:16:07.64
ComboFix.txt

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:01:01 PM

Posted 29 August 2006 - 12:52 PM

Hello,

This is already looking a lot better, but we are not finished yet. As I see from your Ewido log (after the second scan), it looks like there was A LOT of malware present there -- and I still do see some old leftovers as well.

That's why I want you to run another removal tool to get rid of some leftovers..

It is important you don't miss a step and perform everything in the right order!!

* Download smitRem and save the file to your desktop.
Doubleclick it and choose install. This will create a new folder on your desktop with the name smitrem.

* Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

REBOOT! Important!

Open notepad and copy and paste next present in the quotebox below in it:
(don't forget to copy and paste REGEDIT4)

REGEDIT4

[HKEY_CLASSES_ROOT\CLSID\{81559C35-8464-49F7-BB0E-07A383BEF910}]
@="SpywareGuard.Handler"

[HKEY_CLASSES_ROOT\CLSID\{81559C35-8464-49F7-BB0E-07A383BEF910}\Implemented Categories]

[HKEY_CLASSES_ROOT\CLSID\{81559C35-8464-49F7-BB0E-07A383BEF910}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502}]

[HKEY_CLASSES_ROOT\CLSID\{81559C35-8464-49F7-BB0E-07A383BEF910}\InprocServer32]
@="C:\\Program Files\\SpywareGuard\\spywareguard.dll"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\CLSID\{81559C35-8464-49F7-BB0E-07A383BEF910}\ProgID]
@="SpywareGuard.Handler"

[HKEY_CLASSES_ROOT\CLSID\{81559C35-8464-49F7-BB0E-07A383BEF910}\Programmable]

[HKEY_CLASSES_ROOT\CLSID\{81559C35-8464-49F7-BB0E-07A383BEF910}\TypeLib]
@="{F444B57C-5883-4D43-9AB8-344FC5606836}"

[HKEY_CLASSES_ROOT\CLSID\{81559C35-8464-49F7-BB0E-07A383BEF910}\VERSION]
@="1.1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"KernelFaultCheck"=-

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Slow dupe"=-

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run]

Save this as fix.reg Choose to save as *all files and place it on your desktop.
It should look like this: Posted Image
Doubleclick on it and when it asks you if you want to merge the contents to the registry, click yes/ok.
(In case you are unsure how to create a reg file, take a look here with screenshots.)

Please set your system to show all files.
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

Please hide your hidden files and folders afterwards again, when we are done with this thread and your problems are solved, because above instructions to set your system to show all files, unhide legit files and folders as well.
And I don't want you to delete them because they may look suspicious. To hide them again, just perform the above instructions in the opposite way.


Delete next folders and files manually:

C:\WINDOWS\system32\k044lahq1d4e.dll
C:\WINDOWS\system32\ynu31afb.sys
C:\WINDOWS\system32\ynu31afb.dll
C:\Program Files\Common Files\iuzi <== folder
C:\DOCUMENTS and Settings\Alex\APPLICATION DATA\plus two heck <== this folder

Open notepad and copy and paste next present in the quotebox in it:

%systemdrive%
cd %WinDir%\Tasks
attrib -r -s -h AC07C7FB91887AAB.job
del AC07C7FB91887AAB.job

Save this as deletelopjobs.bat , choose to save as *all files and place it on your desktop.
It should look like this: Posted Image
Doubleclick on it. The window will flash, this is normal.
(In case you are unsure how to create a bat file, take a look here with screenshots.)

* Open notepad and copy and paste next in it:

if exist %systemdrive%\look.txt del %systemdrive%\look.txt
cd\
cd %appdata%
dir /x >> %systemdrive%\look.txt
cd %allusersprofile%\Application Data
dir /x >> %systemdrive%\look.txt
dir %Windir%\tasks /a:h >> C:\look.txt
start notepad %systemdrive%\look.txt


Save this as look.bat , choose to save it as *all files and place it on your desktop.
This is how the batch must look afterwards: Posted Image
Doubleclick look.bat and post the content of the txtfile you get in your next reply together with a new hijackthislog and the contents of smitfiles.txt which is present on your Homedrive (C:\smitfiles.txt)

Edited by miekiemoes, 29 August 2006 - 12:53 PM.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 alexio

alexio
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:01 PM

Posted 01 September 2006 - 06:09 AM

Volume in drive C has no label.
Volume Serial Number is CCBF-C449

Directory of C:\Documents and Settings\Alex\Application Data

25/08/2006 20:41 <DIR> AVG7
09/08/2004 19:04 <DIR> IDENTI~1 Identities
11/05/2006 11:53 <DIR> Lavasoft
09/05/2006 18:37 <DIR> MACROM~1 Macromedia
24/08/2006 14:18 <DIR> Mozilla
22/05/2006 22:26 <DIR> Sun
22/05/2006 20:09 <DIR> winjoy
0 File(s) 0 bytes
7 Dir(s) 6,917,828,608 bytes free
Volume in drive C has no label.
Volume Serial Number is CCBF-C449

Directory of C:\Documents and Settings\All Users\Application Data

20/09/2005 21:50 <DIR> APPLEC~1 Apple Computer
30/08/2006 13:56 <DIR> avg7
25/08/2006 20:40 <DIR> Grisoft
28/08/2006 09:07 <DIR> LITEAX~1 Lite Axis 32 Bat
21/08/2004 14:09 <DIR> MSN6
20/09/2005 21:55 1,759 QTSBAN~1 QTSBandwidthCache
09/08/2004 01:56 <DIR> QUICKT~1 QuickTime
24/08/2006 12:59 <DIR> Symantec
21/01/2006 20:19 <DIR> WINDOW~1 Windows Genuine Advantage
1 File(s) 1,759 bytes
8 Dir(s) 6,917,824,512 bytes free
Volume in drive C has no label.
Volume Serial Number is CCBF-C449

Directory of C:\WINDOWS\tasks

18/08/2001 16:00 65 desktop.ini
01/09/2006 12:41 6 SA.DAT
2 File(s) 71 bytes
0 Dir(s) 6,917,824,512 bytes free




Logfile of HijackThis v1.99.1
Scan saved at 12:51:17, on 01/09/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Atievxx.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\System32\atiptaxx.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\WINDOWS\System32\ctfmon.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Alex\Desktop\HijackThis.exe

F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: ewido anti-spyware.lnk = C:\Program Files\ewido anti-spyware 4.0\ewido.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {35F59C80-C1F2-4EEA-9981-686C7D5A9277} - http://ocx1.advnt01.com/dialer/internazionale_ver3.CAB
O16 - DPF: {4B0999FD-6937-11D5-8FEC-00606779369C} (NetConf) -
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1137002405273
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1156437554547
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {91433D86-9F27-402C-B5E3-DEBDD122C339} - http://www.netvenda.com/sites/games-es/es/games3.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{72EE2AF4-4DFB-44EE-AEF5-4338C5131DD9}: NameServer = 80.58.61.250,80.58.61.254
O17 - HKLM\System\CCS\Services\Tcpip\..\{C619D4CB-20F5-43CF-BA19-7AF4DE15B5E0}: NameServer = 62.36.225.150 62.37.228.20
O17 - HKLM\System\CCS\Services\Tcpip\..\{CD01BE8B-9558-4A61-985E-4A17E1BD0078}: NameServer = 80.58.0.33
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe




smitRem © log file
version 3.1

by noahdfear


Microsoft Windows XP [Version 5.1.2600]
"IE"="6.0000"
The current date is: 01/09/2006
The current time is: 12:23:15.36

Running from
C:\Documents and Settings\Alex\Desktop\smitRem

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Pre-run SharedTask Export

(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)
Copyright© 2006 BleepingComputer.com

Registry Pseudo-Format Mode (Not a valid reg file):

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

checking for ShudderLTD key

ShudderLTD key present!

Running LTDFix/PSGuard.com fix!

checking for PSGuard.com key


PSGuard.com key not present!



ShudderLTD key was successfully removed! :thumbsup:


if previously present, PSGuard.com key was successfully removed! :flowers:


checking for WinHound.com key


WinHound.com key not present!


checking for drsmartload2 key


drsmartload2 key not present!

spyaxe uninstaller NOT present
Winhound uninstaller NOT present
SpywareStrike uninstaller NOT present
AlfaCleaner uninstaller NOT present
SpyFalcon uninstaller NOT present
SpywareQuake uninstaller NOT present
SpywareSheriff uninstaller NOT present
Trust Cleaner uninstaller NOT present
SpyHeal uninstaller NOT present

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Existing Pre-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~

amcompat.tlb
nscompat.tlb


~~~ Icons in System32 ~~~

ts.ico
ot.ico


~~~ Windows directory ~~~



~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 856 'explorer.exe'
Killing PID 856 'explorer.exe'
Killing PID 856 'explorer.exe'
Killing PID 856 'explorer.exe'
Killing PID 856 'explorer.exe'
Killing PID 856 'explorer.exe'
Killing PID 856 'explorer.exe'
Killing PID 856 'explorer.exe'
Killing PID 856 'explorer.exe'
Killing PID 856 'explorer.exe'
Error 0x5 : Access is denied.


Starting registry repairs

Registry repairs complete

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SharedTask Export after registry fix

(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)
Copyright© 2006 BleepingComputer.com

Registry Pseudo-Format Mode (Not a valid reg file):

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Deleting files

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Remaining Post-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~


~~~ Wininet.dll ~~~

CLEAN! :huh:

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:01:01 PM

Posted 01 September 2006 - 06:21 AM

Hi, delete next folder as well:

C:\Documents and Settings\All Users\Application Data\Lite Axis 32 Bat

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

O16 - DPF: {35F59C80-C1F2-4EEA-9981-686C7D5A9277} - http://ocx1.advnt01.com/dialer/internazionale_ver3.CAB
O16 - DPF: {4B0999FD-6937-11D5-8FEC-00606779369C} (NetConf) -
O16 - DPF: {91433D86-9F27-402C-B5E3-DEBDD122C339} - http://www.netvenda.com/sites/games-es/es/games3.cab


* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

Post a new hijackthislog and Let me know in your next reply how things are running now.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 alexio

alexio
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:01 PM

Posted 07 September 2006 - 11:05 AM

Hello Again!

Sorry I couldn't reply faster but I hadn't had time to even touch my computer.
Anyway here's the logfile you wanted.


C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Alex\Desktop\HijackThis.exe

F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: ewido anti-spyware.lnk = C:\Program Files\ewido anti-spyware 4.0\ewido.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1137002405273
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1156437554547
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{72EE2AF4-4DFB-44EE-AEF5-4338C5131DD9}: NameServer = 80.58.61.250,80.58.61.254
O17 - HKLM\System\CCS\Services\Tcpip\..\{C619D4CB-20F5-43CF-BA19-7AF4DE15B5E0}: NameServer = 62.36.225.150 62.37.228.20
O17 - HKLM\System\CCS\Services\Tcpip\..\{CD01BE8B-9558-4A61-985E-4A17E1BD0078}: NameServer = 80.58.0.33
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

#8 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:01:01 PM

Posted 07 September 2006 - 11:18 AM

Hi,

A part of the running processes in your log is not present, but that's ok now... Guess the issue should be gone now.

Your hijackthislog looks clean. How are things now?
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:01:01 PM

Posted 13 September 2006 - 05:25 PM

Due to the lack of feedback, this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users